Newsletter

Duff: LulzSec hacking group claims credit for attacks on Senate, CIA

The U.S. Senate has ordered a security review of all its websites after their main site was compromised by the hacking group LulzSec last weekend.

Nothing confidential was lost; hackers only skimmed the surface of public sites, but it's hard to read the headline "Senate email hacked" and pretend it's not a big deal.

This is the same group responsible for recent attacks on Fox, Sony and PBS; the same group that recently attacked a private security company in partnership with the FBI.

On Wednesday they launched a denial of service attack on CIA.gov, making that website unreachable for a day or so.

CIA.gov was back up Thursday morning, including the CIA Kids' Page, one of my favorite destinations on the Web. This site actually features a cartoon spy in sunglasses and a fedora peeking out of an open manhole - so never let it be said that the CIA lacks a sense of humor, even if they do lack a sense of irony.

The recent attacks on government sites seem to be a response to the Pentagon's announcement that a cyber attack originating from another country could constitute an act of war.

LulzSec taunted the government in their press release following the Senate attack, saying, "This is a small, just-for-kicks release of some internal data from Senate.gov - is this an act of war, gentlemen?"

So what does this mean? Are we all just sheep, at the mercy of all-powerful hacker gods? Is our government helpless to protect us from domestic cyberterrorism?

The worst thing about these high-profile hacking incidents is not the vandalism or the (relatively trivial) loss of information, but the mindless hysteria that grips the public whenever some headline writer puts the word "cyber" in front of something.

Cyberterrorism! Cyberwar! I hate these words because I think they minimize the impact of real war and real terrorism.

No one has ever been killed in a cyber attack. No lives have been lost, no blood has been spilled. These are high-profile incidents of cyber theft and cyber vandalism, but it's important to keep them in perspective.

The recent attacks by LolzSec fit the dictionary definition of cyberterrorism. These are deliberate, large-scale disruptions of computer networks, perpetrated by groups that are trying to scare us.

But when we look at the actual cost of these actions, the real world impact is quite small. Are these really acts of war, gentlemen?

I don't think so, but I'm confident that the U.S. government will treat them that way. I'm worried about these attacks, not because I'm worried about the content of Senate emails, but because I'm worried about what the government will do in response.

Consider how the government solves problems in 2011. They don't view these things as isolated incidents to be patched in security reviews and handled at the administrative level - politicians like to pass broad, sweeping legislation that gives them control of things from the top down.

They won't be content to patch a few leaks in the dam. They'll want to fund agencies and build firewalls - forcing all traffic to pass through an Internet version of the TSA.

These are high-profile attacks by an ad hoc group of vandals exploiting known security holes. They should serve as a warning to everyone who has neglected their security up to now. Securing a Web server is a complicated business. It's not easy, and it's not cheap. But securing your front door in cyberspace is just as vital as locking your doors in real life.

IT personnel have to monitor security alerts and constantly apply patches to counter known threats. When they encounter a secure system, most hackers will simply probe for known vulnerabilities and move on to easier targets. But if you've neglected your security, if you've essentially left your cyberspace door open, they can compromise you so quickly and so thoroughly, it'll cost you hundreds of man hours to get things back on track.

That's the real lesson we should be taking from these attacks. Don't panic. Just make sure you've got a good firewall and a good antivirus program at home, and make sure your IT guys have the resources they need to make security a priority in your workplace.

If you haven't had a problem before, your security is probably a little lax. It's easy to cut corners when deadlines are raging and doing it right means asking for money. But a vulnerable system doesn't just put your company at risk. It also exposes your partners, your vendors and your customers.

In cyberspace, national security really does start with home security. Educate yourself on the basics and don't let the headlines carry you away.

THE PAGE STOPS but the blog goes on. Talk back to Michael at michaelduff.net.